Unix How To: Unix Resolutions for 2010
First off, as the security pundits have been telling us for years, turn off services that you aren't using on your servers. This can be as easy as commenting out lines in your /etc/inetd.conf file, issuing svcadm disable commands or renaming S* scripts to s* scripts in your /etc/rc*.d directories. Running unneeded services only wastes resources and opens your system up to potential exploits should they become available.
Next, don't log in as root unless you really need to. Accountability suggests that you always log in as yourself and use su and sudo commands when you need the extra punch. I know from experience how easy to is to make a tiny mistake that has a devastating effect on a system. If you're not root, there are clear and dominant constraints on how much damage you can do.
Patch periodically. Make sure you apply recommended patches and that you are on the lookout for critical security patches. The latest recommended patch cluster for Solaris 10 was released just one week ago today. Did you notice?
Use your screen lock (i.e., screen saver) whenever you walk away from your desk. Even if you trust your coworkers and know that anyone wandering through your workspace will be escorted, this is a good habit to adopt. The security of your systems depends on you being careful all of the time, whether or not you feel it's necessary.
Keep your login passwords secure -- especially your root passwords! Store those that you can't remember easily in some secure tool like KeePass. Do not write them down any place where they can be discovered. If you feel you must transcribe them on paper, develop a code that reminds you of the passwords. Never never write down the passwords.
Document anything that would take you more than 30 seconds to explain to someone else. I realize that documenting our procedures is one of the things that most sysadmins despise, but it will save you effort in the long run. No matter how much I think I will remember how to do something, I find a year and a half later that I don't have total recall and even sketchy notes in a binder can save me hours of work rediscovering what I once knew and understood. Besides, when you want to move to a new project, you might have to train your replacement! A good set of notes of the hows and whys of the systems you manage can be turned over to someone else.
Close accounts when they are no longer needed. Quickly and thoroughly. There is no excuse for keeping dormant accounts on your systems, especially since unused accounts have been repeatedly used to exploit systems.
Understand and use checksums. Make sure files that you download have been downloaded intact and that you're not getting files that have been modified or corrupted.
Expire passwords even if doing so annoys your users. Unless you force good password policy, some of your users are going to choose passwords that are easy to guess. Limit the damage. They will resent you only until someone with a stupid password enables a break-in.
Use sudo or similar technology for users who only need a little bit of root access. Sudo is easy to set up and reliable. Besides, giving someone only what they via sudo means they don't have to be given the root password. How cool is that?
Monitor your log files from time to time. You can have hardware and software screaming their little hearts out and be totally oblivious to problems if you don't scan through your log files from time to time. Automated log gisting scripts can send you summaries of important messages. If you don't have something like this scanning your log files periodically, put something together.
Document your important service configurations, especially those that are tricky or difficult to understand.
Plan for disasters and think recovery. From time to time, think about the things that could go wrong on your systems and what you would do to recover if they did. Identify single points of failure. How would you replace that disk array if its power supply failed? How about that important database server?
Test your backups before you need them. If you can't recover from backups, you're not properly backing up.Years ago, I was called in to help when some colleagues needed to recover a file system. They discovered that the backups they had been running every night for six months or more had been failing, but that no one had been noticing the warnings in the log files. Nothing could be done. Six months of data were gone. Oops! And did I say scan your log files?
Look at performance on your systems from time to time so that abnormal performance will stand out as abnormal. A profile of a system's average performance will make it very clear when a system is having a bad hair day -- and it doesn't take long to generate.
Don't use telnet or allow it to be used on your systems. C'mon! We've been warned about telnet and ftp for decades now. It's time to insist on only using secure tools to connect to our systems.
Treat your users like customers you want to keep. Yes, they can be annoying, demanding and sometimes even rude, but helping them get their work done is what our trade is all about. Keep this in mind as you go about your work.
And, last but hardly least, be kind to yourself. You work way too hard, rarely get credit for all the emergencies you prevent and are worth your weight in platinum.
Have a wonderful and prosperous 2010!